[75258] in North American Network Operators' Group
Re: Important IPv6 Policy Issue -- Your Input Requested
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Nov 9 16:17:09 2004
To: Jerry Eyers <jeyers@sloancc.net>
Cc: bsdusr@gmail.com, "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: Your message of "Wed, 10 Nov 2004 03:14:51 EST."
<4191CDFB.00000B.01076@11IBM27>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 09 Nov 2004 16:15:41 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_591163292P
Content-Type: text/plain; charset=us-ascii
On Wed, 10 Nov 2004 03:14:51 EST, Jerry Eyers said:
> "Get a firewall" is not a valid response when you have lusers
> to drop the latest netgear whatever onto their PC and dial
> to some provider somewhere. Your firewall is useless to
> protect that segment. In many cases NAT is the ONLY
> protection you end up with in this scenario, a scenario that
> is far to common in the corporate world.
And NAT does what, exactly, to defend you against a PC that has
one interface on the NAT'ed network and one interface "elsewhere/elsewhen"
(be it a netgear, or somebody at the far end of a VPN, or a laptop
that was connected externally, and now is on the corporate LAN)?
There's a *reason* why Bill Cheswick said "A crunchy shell around
a soft, chewy inside"......
--==_Exmh_591163292P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFBkTN8cC3lWbTT17ARAnb7AKCsjfccHAEGTpPOiKQVVew5zgUzYACg88At
FrVtqUrbMh03D9R4rSe4AME=
=Hd7f
-----END PGP SIGNATURE-----
--==_Exmh_591163292P--
